OPNsense Forum
English Forums => General Discussion => Topic started by: JoK on August 01, 2020, 09:51:22 am
-
Hi
I got a camera that i like to block accessing the Internet, how do I do that? I really dont want to mess things up, thats why i ask :-)
Thanks
-
Variant 1: Give it a static DHCP lease and block access from that IP address.
Variant 2: put it into a network where no device has internet access
-
Maybe this can help:
https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/#block-a-single-device-on-vlan-10-from-accessing-the-internet (https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/#block-a-single-device-on-vlan-10-from-accessing-the-internet)
-
Maybe this can help:
https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/#block-a-single-device-on-vlan-10-from-accessing-the-internet (https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/#block-a-single-device-on-vlan-10-from-accessing-the-internet)
It has a static IP adress, but how do I set a rule, or other way to block that one IP adress to access Internet? Its a camera and the block should only be to the internet, not LAN. If I try to type in the specifik IP address 192.168.1.4 there is a dropdown box out at the right...?? Sorry, I´m a noob in FW rules
-
Firewall -> Rules -> WAN interface, create a new rule that only has the static IP in source, outgoing and block?
-
Okay, so I decided to test this my self: I tried to block my mobile wifi from connecting to Internet - failure. No matter how I did (floating, alias, direct IP, source, destination, out or in) made any difference.
I'm with JoK on this: How am I supposed to block one static IP from accessing internet?
-
And another google search found the answer on this forum:
https://forum.opnsense.org/index.php?topic=17664.0 (https://forum.opnsense.org/index.php?topic=17664.0)
I should not put this rule in WAN, but in LAN (or in my case ALL_LAN which is a group of interfaces), direction IN, Source is the IP I like to block (or in my case I made an Alias list of hosts, as in the thread mentioned above). Done.
-
Thanks for your reply, any words on what the dropdown box is for right besides the box where the IP adress is typed in??
-
This one
-
24
-
24
Thanks, but what is it?
-
I tried to make the rule as suggested and turned on logging, the rule seems to block IP adress 192.168.1.102...and not 192.168.1.4....
I give up ...🙁
-
24
Thanks, but what is it?
It is the netmask for the IP adress, look here for example:
http://www.sput.nl/internet/netmask-table.html (http://www.sput.nl/internet/netmask-table.html)
-
Don't give up - we are here, it just not real time all the time ;-)
This is how I have done this: I created an Alias to collect all IPs I like to stop from accessing internet inside one place - this way I only alter the Alias and never any rules.
I then have a firewall rule on the interface (which in my case happens to be a firewall group of more than one interface).
I included the rule itself on the third attachment, so you might follow a bit easier.
(and then I wonder how I include the attachment in this text but that is another story I guess...)
-
Oh, so you made an Alias or "group" that can contains all the IP's you want to block, yea thas sounds easier than just make a rule for each IP, and you can add more IP's along the way..right?
Whats the "Source/invert"
The "destination, you have marked as "All_LAN" is that, in my case, just LAN...I only have one? :-) ...I would had guessed this should have been Internet
-
Well....I tried to put my ipad's IP address in the Alias to test this, and its still online, what the fudge am i doing wrong
I did it EXACLY like on your pictures, except i choose "LAN net" in stead of your "ALL_LAN"
-
ALL_LAN = my "LAN" interface, and 3 more interfaces that all represents the "inside" interfaces, grouped together. Easier to handla so to speak.
I hope you selected Destination/invert - and not source/invert. Double check - it is very easy to miss the small details :-( I know that for a fact. Anyway, if you "Destination/invert" is like "not" (notice the small "!" before All_LAN net" on the "Interface.jpg". So double check that your rule is identical except "LAN net" instead of "All_LAN net", including the "!".
Or to copy someone else:
LAN Interface inbound
Source -> Device IP
Destination -> Invert LAN
Protocol -> ANY
Action -> Block/Drop
-
A screenshot, it should be almost identical to yours, except the name
-
one more
-
You need to move the block rule BEFORE the first ip4 rule...
-
Like this?
-
Weeee..its now working, thank you SOOOOO much for your kind help and patience :-)